Warning: Can't synchronize with repository "(default)" (/home/git/ome.git does not appear to be a Git repository.). Look in the Trac log for more information.
Notice: In order to edit this ticket you need to be either: a Product Owner, The owner or the reporter of the ticket, or, in case of a Task not yet assigned, a team_member"

User Story #1382 (accepted)

Opened 15 years ago

Last modified 12 years ago

Improve LDAP support

Reported by: jamoore Owned by: jamoore
Priority: critical Milestone: Unscheduled
Component: Deployment Keywords: n.a.
Cc: jay_copeland@…, stephen.ogg@…, FCORNELI@…, atarkowska, cxallan Story Points: n.a.
Sprint: n.a. Importance: n.a.
Total Remaining Time: 9.0d Estimated Remaining Time: n.a.

Change History (14)

comment:1 Changed 15 years ago by jmoore

  • Cc stephen.ogg at imb.a-star.edu.sg FCORNELI@… added; stephen.ogg at imb.a-star.edu.sg FCORNELI at its.jnj.com removed

comment:2 Changed 15 years ago by jmoore

  • Cc stephen.ogg@… added; stephen.ogg at imb.a-star.edu.sg removed

comment:3 Changed 14 years ago by jmoore

  • Milestone changed from OMERO-Beta4.1 to OMERO-Beta4.2

comment:4 Changed 14 years ago by jmoore

  • Cc cxallan added
  • Description modified (diff)

The liferay integration uses the following parameters:







comment:5 Changed 14 years ago by jmoore

(In [6550]) fix #2025 - Fixing ldap tests post-refactoring (see #1382)

With this commit, the basic reconfiguration of LDAP is finished.
Usability and performance improvements should be added to #1382

comment:6 Changed 14 years ago by jmoore

As a follow up on #2025, the new properties which we are currently testing are:


The filters and mappings are as in the liferay documentation above. The "new_user_group" property is an experiment to allow for various styles of mapping:

  • no prefix implies use the static group named "${omero.ldap.new_user_group}"
  • the ":ou:" prefix means map the users last organizationl unit to a group name, "ou=IT,ou=division,o=college" would map to a group of "IT"
  • the ":attribute:" prefix means take the possibly multi-valued attribute defined and add the user to all groups
  • the ":query:" attribute is a query run under the group filter which has all the user mapping properties plus "${dn}" available to it, so that the above example looks for all groupOfNames with a member attribute with the dn as a value
  • a possible (unimplemented) prefix ":bean:" could allow for implementing one's own NewUserGroupMapper

comment:7 Changed 14 years ago by jmoore

  • Description modified (diff)

comment:8 Changed 14 years ago by jmoore

  • Description modified (diff)

comment:9 Changed 14 years ago by jmoore

(In [6916]) see #1382 - Ldap tests and NewUserGroupBean interface. See also #2029

This interface is only responsible for adding groups based on newly
created users. ome.security.auth.RoleProvider and PasswordProvider
are two other interfaces which are available. The three together may
be sufficient for #2029.

comment:10 Changed 14 years ago by jmoore

  • Description modified (diff)

comment:11 Changed 14 years ago by cxallan

A single user filter such as:


Does not allow users that match to login.

comment:12 Changed 13 years ago by jmoore

  • Description modified (diff)
  • Priority changed from major to critical

comment:13 Changed 12 years ago by jmoore

  • Description modified (diff)

comment:14 Changed 12 years ago by agilo

  • Status changed from new to accepted

Updated status, related task in progress

Note: See TracTickets for help on using tickets. You may also have a look at Agilo extensions to the ticket.

1.3.13-PRO © 2008-2011 Agilo Software all rights reserved (this page was served in: 0.108911 sec.)

We're Hiring!